This note documents detection patterns related to ADCS ESC12 within Active Directory environments.
Direct Indicators
| Log | Event ID | Meaning | Forensic Value | Notes |
|---|---|---|---|---|
| Security | 5136 | Directory object modified | Critical | ESC12 involves modification of OID objects inside the PKI configuration. Review ObjectDN and AttributeLDAPDisplayName for changes in OID mappings. |
| Security | 4886 | Certificate issued | High | Certificate issued after malicious OID configuration change. |
| Security | 4887 | Certificate request approved | Medium | Unexpected approvals following PKI configuration change. |
| Security | 4768 | Kerberos TGT request | High | Certificate obtained through ESC12 may be used for PKINIT authentication. |
| Security | 4624 | Successful logon | High | Certificate-based authentication after issuance. |
| Security | 4672 | Special privileges assigned | High | Privileged session established following certificate authentication. |
| Sysmon | 1 | Process creation | Medium | Execution of Certipy, Certify, or PowerView manipulating PKI objects. |
Indirect Indicators
| Indicator | What To Look For | Forensic Value | Notes |
|---|---|---|---|
| OID object modification | Changes to objects under CN=OID,CN=Public Key Services | Critical | ESC12 relies on manipulation of OID group link attributes. |
| Unexpected group linkage to certificate OID | OID mapped to privileged security group | Critical | Allows authentication certificates to grant group privileges. |
| Low privilege user modifying PKI configuration | Unexpected actor modifying OID container | High | Indicates attacker manipulating PKI configuration. |
| Certificate issued shortly after OID change | Enrollment events immediately following configuration modification | High | Suggests exploitation chain. |
| Administrative actions after authentication | ACL changes or group membership changes | Critical | Indicates escalation using certificate authentication. |
Common Tools
| Tool | Usage |
|---|---|
| Certipy | Enumerates and exploits ESC12 PKI misconfigurations. |
| PowerView | Modifies AD objects including OID container attributes. |
| Certify | Requests certificates after OID manipulation. |
| BloodHound | Identifies privilege escalation paths involving PKI objects. |
| Rubeus | Uses issued certificates for Kerberos PKINIT authentication. |
Relevant Artifacts
- Domain controller Security logs (5136)
- ADCS server logs (4886, 4887)
- Configuration partition objects in Active Directory
- CN=OID,CN=Public Key Services container
- PKINIT authentication logs
- Sysmon logs (1)
- EDR telemetry identifying certificate abuse tooling
- Prefetch artifacts for Certipy or PowerView
MITRE ATT&CK References
- T1649 Steal or Forge Authentication Certificates
- T1550 Use Alternate Authentication Material
- T1098 Account Manipulation
- T1078 Valid Accounts
Decision Tree
- Is the suspicious event present?
- Look for Event 5136 modifying OID objects.
- What host generated the event?
- Identify system modifying PKI configuration.
- Is the account expected to perform this action?
- Only PKI administrators should modify OID objects.
- Pivot:
- Source host → inspect execution of Certipy or PowerView.
- Account → review permission changes and group mappings.
- Network → inspect PKINIT authentication events following certificate issuance.
- Confirm exploitation
- Determine whether certificate authentication granted unexpected group privileges.
Example Detection Templates
KQL
SecurityEvent
| where EventID == 5136
| where ObjectDN contains "CN=OID"
| project TimeGenerated, SubjectUserName, ObjectDN, AttributeLDAPDisplayName
SecurityEvent
| where EventID == 4886
| summarize count() by CertificateTemplate, Requester, bin(TimeGenerated, 10m)
EQL
any where event.code == "5136"
Sigma
title: Suspicious PKI OID Object Modification
id: adcs-esc12-detection
status: experimental
description: Detects modification of PKI OID objects potentially enabling ESC12 exploitation
logsource:
product: windows
service: security
detection:
selection:
EventID: 5136
condition: selection
fields:
- SubjectUserName
- ObjectDN
falsepositives:
- Legitimate PKI administrative operations
level: high
tags:
- attack.persistence
- attack.t1098
Mitigation & Hardening
| Control Area | Mitigation | Effectiveness | Notes |
|---|---|---|---|
| PKI configuration protection | Restrict modification rights to PKI containers | Critical | Prevents attackers altering OID mappings. |
| OID auditing | Regularly review OID object configuration | High | Detects unauthorized changes. |
| Administrative separation | Use dedicated PKI administrator accounts | High | Reduces misuse of privileges. |
| Monitoring | Alert on Event 5136 involving OID objects | High | Early detection of configuration tampering. |
| PKI security review | Conduct periodic PKI security assessments | High | Identifies misconfigurations enabling ESC12. |